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Abstract 

We are interested in verifying dynamic properties of finite state reactive systems under fairness as- 
sumptions by model checking. The systems we want to verify are specified through a top-down refinement 
process. 

In order to deal with the state explosion problem, we have proposed in previous works to partition the 
reachability graph, and to perform the verification on each part separately. Moreover, we have defined a 
class, called B mo d, of dynamic properties that are verifiable by parts, whatever the partition. We decide if 
a property P belongs to B mo d by looking at the form of the Buchi automaton that accepts ->P. However, 
when a property P belongs to B mo d, the property / => P, where / is a fairness assumption, does not 
necessarily belong to Bmod- 

In this paper, we propose to use the refinement process in order to build the parts on which the 
verification has to be performed. We then show that with such a partition, if a property P is verifiable 
by parts and if / is the expression of the fairness assumptions on a system, then the property / P is 
still verifiable by parts. 

This approach is illustrated by its application to the chip card protocol T=l using the B engineering 
design language. 

keywords. Refinement design, PLTL model checking, fairness assumptions, out-of-core model checking. 

1 Motivations 

This paper is about the verification of dynamic properties of finite state systems. In our approach, reactive 
systems are modeled by transition systems expressed as event systems, for example in B Ai>; 9('j|. and are 
specified through a top-down refinement process. We propose to express the dynamic properties (safety, 
liveness) as formulae of the Propositional Linear Temporal Logic (PLTL) MP92, IAM98| . and to verify them 

by model checking |§g82l ICKS86I l(XJP99| . 

It is well known that the main drawback of the PLTL model checking [LP85I IVW86j is that it cannot 
handle very large finite systems. To avoid the model checking explosion, many solutions have been proposed, 
such as partial order | KP88llWG93 |. abstraction |CC77lRXlL94IIDF95] and symbolic representation by BDD 
BCMD90 McM93 . For a class of PLTL properties, we propose another solution which is compatible with 
the previous ones. 

1.1 Our Propositions 

In order to deal with the problem of the exponential blow up of the PLTL model checking, we have proposed 
in JMM01 MMJOOj a method that relies on a partitioning of the transition system into several parts. The 



properties are verified on each part separately by an out-of-core |Tol99| model checking technique. As every 
part is verified separately from the others, the other parts can be stored on disks while the part of interest 
is in the main memory. We call verifiable by parts the properties that are such that if they hold on every 
part of a transition system (whatever the partitioning), then they hold on the whole transition system. A 
sufficient condition C on the Buchi automaton which accepts the w-language of the negation of a property 
-^P allows us to decide if P is verifiable by parts. C is a syntactic condition on the Buchi automata. Safety 
and liveness properties such as d(p Qq), 0(p (}q) and 0(p =4> rUq) are verifiable by parts. 

The fact that a property P is verifiable by parts does not depend on the way the parts are constructed. 
But, when verifying P by parts, the fact that P holds on every part does depend on it. We have proposed 
a partitioning based on the refinement process. 

Notice that choosing a partitioning method allows more PLTL properties to be verifiable by parts. Some 
PLTL properties that are not verifiable by parts for all possible partitionings might become verifiable by 
parts under the hypothesis of this particular partitioning. 

In this paper, we extend our verification method to liveness properties on transition systems provided 
with fairness assumptions. To verify a property P under the fairness assumptions /, it is necessary to verify 
that f P holds on the transition system. The problem for verifying / =>■ P by parts is that even if P 
is verifiable by parts for all partitionings, the Buchi automata of ->(/ =>■ P) does not in general satisfy the 
condition C . However, with the fair refinement based partitioning proposed in the paper, it is enough that 
a property P is verifiable by part for all partitionings, i.e. satisfy C, for having / => P verifiable by this 
particular partitioning. 

1.2 Related Works 

The component verification of a multiprocess system is achieved by verifying the properties separately on 
each component. Then, the compositionality with respect to parallel composition ensures that the properties 
hold on the whole system (see |CLM89I lKT§3l IK V98I lAdAHM991 IKKPR99j ) . Generally, this method allows 
verifying safety properties because a component extracted from its environment is an abstraction of the 
parallel system. For example, (KL93) proves that C1HC2 satisfies an invariant I\ AI2 by proving that I2 => I\ 
holds on Ci, and that I\ => 1% holds on C2. These methods are called assume guarantee paradigm. Some 
methods, like in OGK97| . use also a component verification of liveness properties. In our approach, a part is 
not a component of a parallel composition. Our partitioned method is additive whereas the compositionality 
is multiplicative. 

In this paper we present a fair refinement that can be compared with the works on fair simulation 
presented in [HKR97I IGL94I IKV96I IDHWT91] . The fair refinement differs from the fair simulation in the 
following points: 

• The fair refinement concerns fair transition systems which models action systems, whereas the fair 
simulation is concerned by the "state systems" modeled as Kripke structures. In the fair refinement, 
fairness assumptions are expressed on transitions. In Kripke structure, fairness assumptions are ex- 
pressed on states. 

• The fair refinement is a fair r-simulation because we add new actions in the refined system which are 
not observable (r-actions) in the abstract one. 

• The fair refinement is a state simulation, as is the fair simulation, but it is also an action simulation, 
i.e. the sequence of abstract actions is a r-simulation of the sequence of refined actions. This means 
that the refined sequence of actions is identical to the sequence of abstract actions, in which finite 
sub-sequence of r-actions are interleaved. 

• The verification of the fair refinement is linear in the size of the refined system, but the verification of 
the fair simulation is polynomial HKR97 . 
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Our method can be combined with the parallel composition of components. We have proved in BJK02 
that the parallel composition is compatible with the refinement, i.e. if C± is refined by C3 then C\ || C2 is 
refined by C3 || C%. 

Paper Organization. The paper is organized as follows. The preliminaries (Section [2J presents the 
notation and the concepts of fair transition systems, PLTL and Buchi automata. After a presentation of our 
refinement relation in Section[2| we explain the partitioned model checking technique in Section^] Section[5] 
studies the extension of the partitioned verification principles to fair transition systems. Section gives 
an example of an application to this technique, and some experimental results are discussed in Sectional 
Finally, we situate our concerns and give some ideas about future works in Section |SJ 

2 Preliminaries 

2.1 Transition systems 

We introduce a finite set of variables x G V with their respective finite domains D x . Let APy = {x = v \ 
x G V, «£ D x } be a set of atomic propositions over V. 

Definition 2.1 (Transition System) Let Act be a nonempty alphabet of labels (names of actions). A 
transition system TS = (So, S, Act, — », L) interpreted over V has a set of initial states So included in a finite 
set of states S , a labelled transition relation — >C S x Act x S that must be total, and a state labelling function 
L : S^2 Ap v. 

This is a labelled and interpreted transition system. A labelled transition relation — > is a set of triples 
(s, a, s') (written as "s — ► s'"). It is an interpreted transition system because each state is decorated with a 
set of atomic propositions. Notice that the set of atomic propositions which is associated to a state s must 
be consistent, i.e. if x — v G L(s) and x — v' G L(s) then v = v' . 

Remark 2.2 As the transition relation is total, there can be no deadlock in a transition system. If a state 
s has no successor, a transition s — > P s ( where Skip does not belong to Act ) is added to obtain a transition 
system. 

Definition 2.3 (Execution) An execution of a transition system (So, S, Act, — L) is an infinite alternating 
sequence a = So Si s 2 • ■ ■ Sj ^ s i+1 • ■ ■ of states and actions such that s G Sq and for every i > 0, we 
nave Ss °^ s l+1 G-^ JfKLM+00/ . 

We denote by Sts the set of all the executions of a transition system TS. 

Definition 2.4 (Fragment of an execution) We say that a' is a fragment of an execution a (written as 
a' a a) if the sequence of transitions (finite or infinite) executed in a' is also executed in a . 

* I 

We note s-»s' (resp. s — > s') the fragments of executions leading from s to s by executing zero (resp. 
one) or many transitions. 

Definition 2.5 (Cycle) A cycle of a transition system TS is a finite fragment c — sq — ► s\ — ► • • • — ► s n 

of an execution of TS, such that s n — so and for all < i, j < n, if i ^ j then Sj 7^ Sj . 

We extend a finite fragment a' = Sj ^> s i+ i ■ ■ ■ s^^i ^-s- 1 s^ to an execution a = ^> Si+i ■ ■ ■ sj,_! ^ 1 
Sk S ~* Sk S — * P Sfe • • • and we call it an extension. 

Definition 2.6 (Trace of (a fragment of) an execution) The trace of an execution or a fragment of 
an execution a, written as tr(o~), is the sequence of the labels of the transitions executed in a. 
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Let TS2 be a transition system. The r-transition system of TS2 on Act\ , written as T-TS2 , is a transition 
system identical to TS2 where the names of the actions of Act2 which do not belong to Act\ are named r. 

Definition 2.7 (r-transition system) Let Act\ bet a set of actions. Let TS2 = (Sq 2 , S2, Act2, —*2, L2) 
be a transition system, such that Act\ C Act2- We call t -transition system o/T,S 2 on Act\, the transition 
system T-TS2 = (So2) ^2, Act\ T , — > 2r , -^2) such that Act\ r = Act\ U {r}, and the relation — ^ 2r * s defined as: 

-^2 T = { s 2 A s'2 I s 2 ^ s 2 e ^2 A a 2 G Ac£ 2 A a 2 ^ Acii} U {s 2 ^ s' 2 s 2 A s 2 G^ 2 A «i £ Acii}. 

Any cycle c such that tr(c) £ r* is called a r-cycle. 

2.2 Fair transition systems 

We note Inf s (cr) the set of states occurring infinitely often in an execution a. We note Inf t (cr) the set of 
transitions occurring infinitely often in a. We note In(T) the set of states which are source of transitions in 
a set of transitions T. That is, 

• Inf s (a) = {s I a — sq A si ■ ■ ■ Sj -4 s i+1 • • • A s = s,; for infinitely many i}, 

• Inft(a) = { t \ a = sq °^ s\ ■ ■ ■ Si ^ Si+i • • • A t = Sj A Si_|_i for infinitely many i}, 

• 7n(T) = {s I s A s ' e T}. 

Notice that in |MP95j . fairness requirements are expressed on transitions. Here, we express fairness 
requirements on actions. Fair transition systems model fair action systems. Therefore, the user expresses 
fairness constraints in the form of fair actions. In a fair transition system, a fair action is expressed by a set 
Fi of the transitions which have the name of this action as a label. 

Definition 2.8 (Fair transition system) Let TS — (So,S,Act,—*,L) be a transition system. Let T be 
a set of fairness constraints {Fi, F2, • • • , F m } where every Fi C— > is a set of the transitions expressing 
one fairness constraint. The fair transition system FTS is the tuple (So, S, Act, — >, L, T) (often written as 
(TS, J 7 ) ) such that 

(a) (si A si 6f» A s 2 -4 s'2 S Fi) =>• (a = b), 

(b) (s A s ' g^+ A s A s ' e Fi) 3(s 1 ,s[) ■ (s A 3 > = s A Sl A s [ A s ' a s t A s ' x g fi), 

fcj (s A s > eFi A s A s" G ^) ^ (s' = s"). 
Let us comment on the three constraints (a), (b) and (c). 

(a) Each element Fi of T expresses one fairness assumption involving one fair action. Therefore, all the 
transitions of Fi have the same label. 

(b) For each transition s A s' of Fi , there does not exist a fragment of execution beginning in s and ending 
in s' that does not contain a fair transition of Fi . This constraint allows expressing fairness as a PLTL 
property (see Section 1^41 

(c) We require determinism for a fair action since it comes from the environment. So, for each transition 
s A s' of Fi, there does not exist another transition s A s", such that s' 7^ s". This constraint allows 
verifying the refinement in linear time (see Section ET3|) 

We call fair transition a transition of a set Fi G T . 

Definition 2.9 (Fair execution (computation)) An execution of FTS = (TS,!F) (also called a compu- 
tation in 'MP951), obeys the fairness requirements T, which means that: (i G [l..m] A s G Inf s (a) A s G 
In(Fi)) 3(s>, a, s") ■ (s' A s " e F, A s' A s " G In/ t ((r)). 
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The set Efts on ly contains computations. In other words, an execution a is fair if it is true that "if 
some transition of any Fi is enabled infinitely often by cr, then some transition of Fi is taken infinitely often 
by the execution cr" . 

The executions of a transition system which do not satisfy fairness requirements are called unfair execu- 
tions. 

Property 2.10 An execution a that contains infinitely often two states s and s' which are in relation by 
a fair transition s — > s' in Fi is a computation. So, (s 6 Inf s {a) A s' G Inf s (a) As —> s' G Fi) => 
3(31,3'!) • (si A si €Fi A si A si G In f t {cr)). 

Proof. Let a be an execution that contains s and s' infinitely often. By the constraint (b) in Dcfinition l2.8l 
cr contains a fair transition labelled by a infinitely often. Therefore, cr is a computation. □ 

Definition 2.11 (Fair Exiting Cycle) Let c = so ^» si — * • • • A 1 so be a cycle of a fair transition 
system. The cycle c is a fair exiting cycle if there exists a transition t = s, A s' of a fairness constraint Fj , 
such that s' =/= Sj, with i G [0 • • • n] and j G [1 • • • m] . 

We call such a transition t an exit transition for a cycle c. By this definition wc deduce that the 
computations of a system do not run around fair exiting cycles infinitely many times because they must take 
exit transitions. 

2.3 Gluing Invariant 

Let SPy be a set of state propositions over V defined by the grammar 
p ::= ap \ p V p \ ~^p where ap G APy. 

Definition 2.12 (Validity of a state proposition) A state proposition p G SPy is valid 1 for a state s of 
a (fair) transition system (written as s \= p) if 

• s\=apiffap<E L(s), 

• s \= pi V p2 iff s \= pi or s |= p2, 

• s ^ ~^p iff it is not true that s \= p, written as s¥- p. 

Let Vi and V2 be respectively the sets of variables of two transition systems TSi and TS2 ■ Let SPv 12 be 
a set of state propositions over V\ and V2 defined by the following grammar: 

q ::= ap\ \ ap 2 \ X\ = £2 | Q V q \ where ap\ G APy 1 , ap 2 G APy 2 , x\ G V\ and x 2 G V2. 

Definition 2.13 (Validity of a state proposition on a pair of states) A proposition q G SPv 12 is valid 
for a pair of states (written as (si, S2) (= q) if 

• (si,s 2 )h a Pi iffapi € Li(si), 

• (si,s 2 ) \= ap 2 iff ap2 G L 2 {s 2 ), 

• (si, s 2 ) |= xi = x 2 iff 

3v (v e D Xl A v G D X2 A (xi = v) G L x (si) A (x 2 = v) G L 2 (s 2 )), 

• (si,s 2 ) h 1i v ?2 iff(si,s 2 ) |= gi or (si,s 2 ) |= g 2 , 

• (si, S2) \= ~^q iff it is not true that (si, S2) \= q. 
'we also say that "p holds on s" 
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We call gluing invariant, a state proposition of SPy 12 which expresses how the variables from the abstract 
and the refined transition systems are linked together. 

Definition 2.14 (Gluing invariant) A state proposition I%2 £ SPv 12 is a gluing invariant of two (fair) 
transition systems (F)TSi over Vi and (F)TS2 over V2, if 1 12 is an invariant on Si x 52 (i.e. (s±, S2) (= I12 
for all pairs (si, S2) of Si x S2), and I12 is a total function from S2 to Si. 

We require I12 to be a total function from S2 to Si because it allows partitioning TS2 (see Section ETT^ . 
2.4 PLTL 

Here, we define all future PLTL formulas with the two temporal operators, Next (O) an d Until (U). We 
also use the following notations: ()P (eventually P) defined as true U P, OP (always P) defined as -i^-iP, 
and Pi => P2 defined as —>Pi V P2. The composition of the temporal operators □<() means infinitely often. 

In order to verify PLTL formulas on a (fair) transition system (F)TS, we extend Definition 12 . 1 21 to the 
PLTL semantics on the executions (or computations) in a standard way. 

Definition 2.15 (PLTL) Given PLTL formulas P,Pi,P2 and an execution a (or computation), we define 
P to be valid at the state Sj, j > 0, on an execution a = s Si — * ■ ■ ■ ,Sj • • • (written as (o~,j) \= P) as 
follows: 

• (o-)i) h a P iff ap E L(s 3 ), 

• i^ii) H ~~*P iff it i s n °t true that ((o~,j) (= P), written as {o~,j) ft= P, 

• {(7,3) \= Pi V P 2 iff (a,j) h Pi or (a,j) h P2, 

• (<rJ)\=OP iff {*, 3+1) hP, 

• {a,j) h P1UP2 iff 3fc • (k > j A (a, k) \= P 2 A V^ • (j < i < k => (a, ») |= P^). 

When (a, 0) |= P we say that "P holds on a" and we note cr (= P. 
Now, we extend Definition 12 . 151 to transition systems. 

Definition 2.16 (Validity of a PLTL formula on a (fair) transition system) A PLTL formula P is 
valid for a (fair) transition system (F)TS, written as (F)TS \= P , i/Vcr • (cr g T,^ts o~ \= P). 

The PLTL allows expressing many dynamics properties such as safety, liveness and fairness. Fairness 
assumptions expressed by the set T are described by the PLTL formula 

/ = A D ( no V ( A V ( A a p')) « 

i=l s^s'eFi apEL(s) sAs'efj ap'eL(s') 

which means that if a transition t = s A s' of a fairness constraint Pj is infinitely often enabled, then a 
transition of Fi must be taken infinitely often. This description is correct because of Property 12. 1UI 

It is important to notice that the verification of a PLTL formula is the same on a transition system TS 
and on a r-transition system t-TS. 

Property 2.17 t-TS \=P iffTS\=P. 

Proof. The sequences of states which compose the executions in E t _ts and £ts are the same by Defi- 
nition 12.71 Since the PLTL satisfaction in Definition 12.151 is verified only on the sequences of states of the 
executions, Property 12 . 1 71 holds. □ 
A property of a system expressed as a PLTL formula is referred to as a PLTL property. 
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2.5 Biichi Automata and Executions Acceptance 

We associate to a PLTL formula P a Biichi automaton denoted Bp. The automaton Bp accepts all the 
executions on which P holds. 

Definition 2.18 (Biichi automaton) A Biichi automaton is a 5-tuple B = (qo, Q, SPy, — ►g, A) where: 

• Q is a finite set of states (qo € Q is the initial state), 

• — > b is a finite set of transitions labelled by elements of SPy ■' ->gC Q x SPy x Q, 

• AC. Q is the set of accepting states of the automaton. 

Similarly to the notion of execution of a transition system, an infinite alternating sequence of states of B 
and state propositions in SPy is called a run of B. We denote by Eg the set of all the runs of B. A run of 
B is accepting if at least one of the accepting states appear infinitely often in the run. 

Definition 2.19 (Execution Acceptance) An execution a = sq ^> sx • ■ • s, ^ s,_|_i • • • G Sts is accepted 
by a run ir = qo — > Qx ' ' ' Qi ~* Qi+i • • • G Eg £/ 

i) it is a run of B on a: Vi • ((0 < i A ^ G^b) => |= pi), 

ii) the run is accepting: Inf s (7r) H A ^ 0. 

3 Refinement 

In this section, we express the refinement semantics as a relation between fair transition systems because 
we want to verify PLTL properties under fairness assumptions during the development by the refinement 
process. We improve the refinement relation between transition systems defined in BJK00 by the fairness 
preservation clause in order to obtain the fair refinement relation. 

We define the refinement relation as a state and action simulation which allows us to exploit a partition 
of the refined transition system state space into parts. With such a partition we are able to deal with the 
model checking blow-up by verifying PLTL properties of the refined system in a partitioned way. Moreover 
the fairness constraints of the environment make some abstract system behaviors fair, and these fairness 
constraints are preserved during the refinement steps. So, we want to verify PLTL properties under fairness 
assumptions in a partitioned way at the refined level. 

3.1 Gluing Relation and State Space Partition 

In this section, we consider two fair transition systems FTSx — (Sq 1 , Sx,Acbx, ~ ¥ Xi L\,!F-i) over V\ and 
FTS2 = (So 2 ,S2,Act2,^2,L2,J-2) over V% giving the operational semantics of a system at two levels of 
refinement. The relation between the variables V\ and V2 is defined using a gluing invariant 1x2- Our goal 
is to verify that FT Si is refined by FTS 2 (written as FTSx E/ FTS 2 ) according to I 12 . 
In our approach, the refinement main features are as follows. 

1. The refinement introduces new actions, so Actx C Act2- 

2. The refinement renames variables, so V\ PI V2 = 0. 

3. The refinement introduces a gluing invariant, 1x2- 

Before defining the refinement relation, we define the gluing relation fi as a total function from S2 to Sx- 
The refinement relation is the gluing relation restricted by additional clauses. 
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3.1.1 Gluing Relation and State Space Partition 

We define a binary relation fi C S 2 x allowing us to express the relation between the states of two 
transition systems TSi and TS 2 . 

Definition 3.1 (Glued states) Let 2i 2 be the gluing invariant. The state s 2 £ S2 is glued to si £ Si by 
I12, written S2 p si, if (si, s 2 ) |= Ii2- 

Since p is a total function from £2 to Si , we can define an equivalence relation ^ M between states of the 
refined transition system. 

Definition 3.2 (Equivalence class) Consider a state si £ Si. EC(s\) is an equivalence class o/S 2 /^ 
if, for every state S2 £ EC{s\), we have S2 p si- 

3.2 Refinement Relation 

In this section, we define the refinement of two fair transition systems as a particular kind of simulation and 
we view it as computations containment. For that, we restrict p into a function pf which relates a refined 
fair transition system to one of its abstractions. 

This relation allows us to distinguish some elements of the state space partition that we call parts. This 
partition is used either to prove an invariant of a part or to verify state propositions of a PLTL formula 
which are verified on a part (see Section |3J|. In order to describe the refinement, we keep the transitions of 
FTS2 labelled over Act\ but the new ones (from Act2 \Act\) introduced by the refinement are considered as 
non observable t moves. These r moves hide the transitions of the parts viewed as transition systems (see 
Fig. 0. Let Act\ T = Act\ U {r}. In the above parts, it is certainly not desirable that t moves take control 
forever. Therefore, infinite r-executions are forbidden. 

Let S c2 be the set of the states of S2 (see Fig. ^) which are targets of a transition labelled by an abstract 
action, and are glued with the states of Si sources of at least a transition in a fairness constraint Fi. For 
example, S c2 is the set {s 2 , w} in Fig.^ Any cycle at the refined level refining an abstract fair exiting cycle 
contains a state of the set S c2 . Let a be a computation which runs around such a cycle c infinitely many 
often - this means it reaches a state of S c2 . The computation a must leave c infinitely often in order to 
preserve the fairness constraints of the abstract level. 

S c2 = {s 2 I 3(s,a[).(s % s 2 £^ 2 ) A 3(s 1; sf x , a x ).{si ^ s[ £ \JTJi F ^) A F u £ Ti A s 2 psi}. 

Let Ti : S c2 — ► l^ 1 be a total function. We denote by Ti(s 2 ) the set of the abstract fair transitions, such 
that their source states are glued with the state s 2 by the relation /1. For example, Ti(s 2 ) is the set {t\} 
and Ti(w) is the set {t} in Fig. ^ The computations in which the state s 2 appears infinitely often, execute 
infinitely often the transitions of — > 2 which refine the transitions of Ti(s 2 ). 

mi 

Ti(s 2 ) = {h I h = si % s' x A h £ |J Fu A Fu £ T x A s 2 fi Sl }. 

i=i 

Let T-FTS2 — (So 2 , S 2 , Acti T , — * 2t , i 2 ,^ r 2 ) be the fair transition system resulting from FTS 2 and Act±. 
Let Si be a state of FT Si (si £ Si) and s 2 be a state of FTS 2 . Let a be a name of action of FT Si, a £ Acti. 

Definition 3.3 (/?/ relation) Let FT Si and T-FTS2 be respectively two fair transition systems provided 
with a gluing invariant I12 ■ The relation pf C S 2 X Si is defined from I12 as the greatest binary relation 
included into p satisfying the following clauses: 

1. strict refinement of abstract transition 

(s 2 p } si A s 2 A 2t s ' 2 ) 3s[ ■ (si A-l s [ A s' 2 p f s[), 
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Figure 1: Refinement of a fair exiting cycle. The fair transitions at the abstract level are: t = s — > s' and 
ii = Si — * s' l7 such that Fi, = {t, ti}, i e [1 . . .m{\ and J-j = {Fu}. The transitions < and t\ are the exit 
transitions of the cycle at the abstract level. At the refined level the state s 2 belongs to the set S c2 . So, it is 
linked by the relation pf to a state si which is a source state of the fair transition t\ (t\ G Fu). Therefore 

Ti( S2 ) ={*i}- 

2. T-divergence freeness 

Vcr • (cr G E T _ir T S 2 => Vm • (m G Acii* =>• tr(a) ^ m ■ t^)), 

3. stuttering of t -transitions 

(82 Pf Si A S 2 "^ 2t 4) s 2 Pf s l> 

4- abstract fairness preservation (see Fig. QJ) 

s 2 p/ Si A s 2 G S C 2 A si ^4 s' x G Ti(s 2 ) A i G [1 . . .mi] A si — + G F u A s 2 G Inf s (a 2 ) A cr 2 G 
Sfts 2 ^ 3(s,s',m, f).(s — > s' G Fij A it — * v G /n/t(cr 2 ) A u pf s A » p/ s'), 

5. non reduction of the abstract fairness constraints (see Fig. QJ) s 2 sj A s 2 G S' c2 A sj — > 
s[ G Ti(s 2 ) =>3((T 2 ,s' 2 , 4)- O2 G £fts 2 A s 2 ^> s 2 ' A 4/)/S! A s 2 p/s'i A (s 2 G Inf s {a 2 ) => 
s' 2 %4^Inf t (a 2 ))). 

Clauses fl!3l are already defined in |BJK00j in order to define the refinement relation between two tran- 
sition systems. In this paper, we have added Clause 01 in order to define the refinement relation between 
fair transition systems. Notice that the presence of Clause |21 guarantees the monotonicity of an iterative 
construction of the relation pf and, this way, the existence of this relation. 

Clauses of Definition 13 . 31 imply that all the r-fragments (i.e. sequences of r-transitions) are finite and 
are followed by a transition labelled in Act\. Therefore, r-livelocks are forbidden. In fair transition systems, 
the executions which run around r-cycles infinitely many times without taking their exit transition infinitely 
often, are called r-executions. New fairness assumptions must be introduced in the refined level in order to 
forbid r-executions. 

The aim of Clause 0] and Clause [5] is to preserve the abstract fairness constraints. At the abstract level, 
fairness constraints express restrictions in some executions of the system. The excluded executions are those 
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Figure 2: Included computations 



which run around fair exiting cycles infinitely many times without taking their exit transitions infinitely 
often, they are not computations. 

Clause 0] and Clause [5] are illustrated by Fig. ^ which represents the refinement of a fair exiting cycle. 
In this case, the relation p f between T-FTS2 and FT Si satisfies Clause 0] if and only if every execution 
a of T-FTS2 in which the state s 2 (or the state w)occurs infinitely often (s 2 belongs to a fair exiting 
cycle) activates infinitely often a transition of T-FTS2 which is simulated 2 by a transition in Fn (because 
<i = f si — + Sj 6 Fii). Therefore, computations must activate infinitely often either the transition s' 2 s' 2 ' 
(see Fig. ^| (this transition is simulated by the transition ti), or the transition u — > v (this transition is 
simulated by the transition t and t = s — > s' G Fu). 

The relation p f between T-FTS2 and FT Si satisfies Clause if and only if there exists executions of 
T-FTS2 which reaches infinitely often the states of Sc2, i- e - s 2 and w respectively (they are simulated by 
the states sources of the fair transitions t\ and t respectively), and activates infinitely often the transitions 
of T-FTS2 which are simulated by t\ and t respectively. 

So, Clauses 0] and |5] show that any cycle c 2 of T-FTS2 which is simulated by a fair exiting cycle ci, must 
satisfy the following conditions: 

• c 2 must be a fair exiting cycle, 

• if the exit transitions of c\ are the transitions t and t\ (see Fig. 0, then the computations which run 
around c 2 infinitely often, must activate infinitely often the transition m^iioi the transition s' 2 — + s 2 
because they are simulated respectively by t and tx, 

• the cycle c 2 must have at least the same number of exit transitions as c\ . 

Clause 0] and Clause ensure that we have a refinement relation which preserves the abstract fairness 
constraints, and which also preserves the PLTL properties. It means that, a PLTL property satisfied at the 
abstract level is also verified at the refined level. For this, it is necessary that each computation of the refined 
level is simulated by a computation of the abstract system. This is guaranteed by Clauses 0] and [SJ Abstract 
fairness assumptions are reformulated and introduced at the refined level in order to satisfy Clauses 0] and [S] 

When the fair refinement relation holds between two fair transition systems FT Si and FT 82, the exe- 
cutions of TS2 which satisfy fairness assumptions also satisfy Clause [21 and Clause 0J 

Remark 3.4 Intuitively, the relation pf implies computations containment. Given 'SftSi an d ^t-fts 2 ; 
Clauses\l\ IE and 131 of DefiniUon \^.Sl mean that every execution of S t _^ts 2 * s linked to some execution in 
^FTSi (see Fig.\^). In other words, to every transition labelled a in FTS\ corresponds a fragment a 1 of an 
execution of FTS2 where a 1 is composed of a sequence of t -transitions followed by a transition labelled by a. 

Definition 3.5 (Refinement) A fair transition system FTSi = (So 1 , Si, Acti, — >i, L\, J-\) is refined by 
a fair transition system FTS2 = (So 2 , S 2 , ^4ci 2 , — >2> L2, F2) provided with a gluing invariant I\2, written 
FTSi E/ FTS2, «/Vs 2 • (s 2 e So 2 => 3si • (si e S01 A s 2 pf s%)). 

Often initial states are designed (So i C Si). Then it is enough that pf holds on the reachable state spaces 
of both systems. If there exist T-cycles, they must be forbidden by the new fairness assumptions. 

2 we say that a transition S2 — > s' 2 is simulated by a transition si when S2P/S1 and s^Pfs'^. 
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3.3 Analysis of the refinement verification 

The algorithmic verification of refinement of finite transition systems can be effectively done by a joined 
exploration of the reachable state spaces. We have given a verification algorithm of the fair refinement in 
CJ03, Cho03 (the proof of the algorithm was also given). 

Let | TSi | and | TS 2 | be respectively the sizes of the transition system and one of its refinement. 
Suppose (i is a function. Verifying Clauses (1),(3) requires a parallel exploration of the systems TS± and 
TS2. Same goes for Clauses (4), (5) because of the constraint (c) in Definition 12. 81 Therefore, the complexity 
is 0(\TSi I + \TS 2 |) ^ 0{\TS 2 |) (because generally \TS 2 \>\TSi \ ). For a finite TS 2 , verifying Clause (2) 
requires a search for r-cycles by exploring paths, of TS 2 , and by following fair transitions. This verification 
does not change the complexity (0(\TS 2 )). 

However, if /i is not a function, the verification necessitates a joint enumeration of both systems. The 
complexity becomes in C(|T5 2 | x \TSi |). 

In the next section, we give an overview of how to verify PLTL properties without considering environment 
fairness constraints, by a partitioned model checking, as it is presented in MMJOO JMMOTl IMasOlj . 

4 Partitioned Model Checking 

In this Section, we present the main results of an out-of-core model checking technique that we have developed 
in order to face the state explosion problem for the PLTL model checking. This technique has been presented 
in MMJOO, JMMOfj for transition systems without fairness assumptions. 

In order to perform model checking on large transition systems, the partitioned verification technique 
relies on a simple idea: why not split the transition system into several smaller pieces, and perform the 
verification on each piece separately? The pieces are called parts. Parts are transition systems as well. The 
initial transition system is called the global transition system. 

In order to have every transition in one part, the parts are constructed by partitioning the transitions of 
the global transition system. Some states may belong to two distinct parts: they can be the target state of 
a transition t in one part, and the initial state of a transition t' in another part. 

To perform a partitioned verification is to verify a property on each part separately, and to conclude that 
it is globally true when it is true on every part. 

Section 14. II defines what is a property verifiable by parts, and exhibits a class of such PLTL properties. 
Section 14.21 proposes a partitioning of a transition system based on the refinement. 

4.1 Properties Verifiable by Parts 

4.1.1 Definition of a Property Verifiable by Parts 

Consider a transition system split into a set of parts (transition systems) according to a partition of its set 
of transitions. Actually, it is enough that the parts arc obtained by an overlapping of the transitions. Some 
PLTL properties have the property to be globally true when they are true on every part. We call such 
properties verifiable by parts. 

Definition 4.1 (Property verifiable by parts) Let P be a PLTL property. Let TS be a transition system, 
and let M be a partitioning ofTS. The property P is verifiable by parts on TS if 

VM • (M e M => M \= P) => TS \= P. (2) 

Remark 4.2 We simply say P is verifiable by parts, instead of P is verifiable by parts on TS. 

4.1.2 A Class of PLTL Properties Verifiable by parts 

Before we perform a partitioned verification, we have to make sure that the properties that we want to verify 
are verifiable by parts. That is, we have to prove @ on every property. Let P be a PLTL property. Notice 
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that to prove "if P is true on every part, then it is true on the global transition system" is equivalent to 
prove "if P is false on the global transition system, then it is false on one part at least" . That is, to prove 
is equivalent to prove J^J: 

-.(TS |= P) 3M • 3a ■ (M G M A a G S M A a \= -P). (3) 

By using Buchi automata, we give a sufficient condition for when a PLTL property is verifiable by parts. 
Consider a property P, and an execution a on which P does not hold. Suppose that there is a state s in 
a such that every fragment of a starting in s violates P. Then the part containing s violates P since it 
contains a fragment of a starting in s. The same idea works when a unique transition is the cause of such 
a violation of the property. Because every state (and every transition) necessarily belongs to one part, we 
know that the property does not hold on the part that contains this state (or transition). 

We define a class B moc i of Buchi automata, and we prove that every PLTL property whose negation defines 
a language that is recognized by an automaton in B mo d is a property verifiable by parts. An automaton in 
Bmod has every accepting state leading only to an accepting state, and there is at most one intermediate 
state between the initial state and any accepting state. Moreover, there is a loop labelled by True on the 
initial state. 

Definition 4.3 (Class B mo d of Buchi automata) Let B = (qo,Q,SPv,-^B,A) be a Buchi automaton. 
We have B G B mo d if 

1. there is a loop labelled True on the initial state: qo T ^> e qo G— >g, 

2. for any run n = q -> q\ -» q 2 ■ ■ ■ q t -» <fc+i ... £ S 8 

3k ■ (k > A Vi • ((0 < i < k =>• % = q ) A (i > k =>• % G A))), (4) 

3. V(q,p, q') -{q^q 1 E^ B Aq> £ A => 3(j/, g") • (<?' ^ q" Ap p')). 

Theorem 4.4 All the PLTL properties whose negation defines a language that is recognized by a Buchi 
automaton in the class B mo d are properties verifiable by parts. 

Proof. Let P be a PLTL property and let TS be a transition system on which P does not hold. We have 
->(TS h P), that is: 

3a ■ (cr G S T s A a \= -.P). 

Let B^p G B mo d be a Buchi automaton that recognizes the language of -P. There exists a run 7r = c/o ^ 
Qi - * 92 • • • Qi — ^ 9i+i ■ ■ • G Sg^p of S-,p on <r on which (0J holds. With an index k as defined in Formula 
we consider Sfe_i and Sfe, respectively the (k — l)-th and fc-th states in the execution a. With any partitioning 
of TS, the transition Sfe_i ^ 1 Sk necessarily belongs to a part M, and the state Sk-i is reachable with 
transitions of M from an initial state s' of M. Let 

cr = s a x •• • Sfe_i -> s fe • ■ • 

be a fragment of an execution of TS such that the suffix Sk-i Sfc • • • is common to cr and cr', and such 

that all the transitions appearing in the prefix s' ■ • ■ Sk-i — Sk of cr' are transitions of M. 
Consider the run 

I True True Pfc-l Pk 

7T = c/o -> ?o • • • 9o -> gfc-i —> qk —> Qk+i ■ ■ ■ 

of S-,p where the suffix Qk-i P -^ 1 qh" ■ is common to 7r and 7r'. Such a run exists as S^p £ S moc i and as 
c/fe-i = <Zo by construction. Moreover, the run tt' is accepting on a' because it "stays" on qo until it accepts 
the suffix Sfe_i ^ 1 Sk • ■ ■ the same way it accepted it in a. 
There are two cases. 
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Figure 3: Some Biichi automata 



1. a' is an execution of M. Then a' is accepted by B^p and so -\{M \= P) 



2. a' is not an execution of M: there is a state s c (c > k) such that the prefix s'q 
Sk • • ■ s c -i ^ 1 s c of a' is a fragment of an execution 



-4- s' 



/ ^0 / a k-l 

s o —> s x • • ' s fc-i s fe 



a c _i Skip Skip 



of M. The transition s c 
Consider 



s c+ i is not in M. 



II True 

= <?o -> 9o • • • <7c 



Po / Pi / 

?c+i ->■ 9i -> 9 2 • • • 



an accepting run of B^p where the prefix qo ■ ■ ■ q c +i is common to n' and n". As B^p G B mo( i, then 
Vj • (j > 1 => f?j G A). Moreover, from Clause El in Definition 14.31 p c p and Vj • (j > 1 
(Pj-i =>■ Pj))- As a consequence, Vj • (j > (p c => p'j))- Thus, 7r" is an accepting run on a", i.e. 
Mi ■ (i > k — 1 A i < c Si \= pi) A Vj • (j > 1 s c |= p'). As the execution cr" is accepted by S^p, 
then -i(M (= P). 



□ 



The class S mo d contains some safety properties such as Dp or d(p =>■ Qq) (see Fig. |3(a)| ), all reachability 
properties such as HHp, and some liveness properties such as D(p =4> 0<?) and D(p => gWr) (see Fig. 3(b) and 
Fig. 3(c) I . However it does not contain liveness properties under fairness assumptions such as D(n<)p =>• 
Og) => n( r Os) (see Fig.[3(d)]>. 



4.2 A partitioning based on refinement 

Consider a property P that is verifiable by parts, and a transition system TS on which P globally holds. 
Actually, it is very likely that with an inappropriate partitioning M of TS, there is a part M of M on which 
P does not hold. In this case, we can not conclude that P is globally true from the partitioned verification. 
In other words, the fact that a property globally true is also true on every part depends on the way the 
global transition system is partitioned. 
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As an heuristic to the choice of an appropriate partitioning, we propose to partition a transition system 
according to the refinement process. 

At every step of the refinement, the specifier introduces new actions and refines the old ones. We propose 
that the specifier also introduces the PLTL properties that can be observed thanks to these new actions at 
this very level of refinement. The properties verified at the former levels of refinement need not to be verified 
again since PLTL properties are preserved by refinement DJK03 . 

The new properties are likely to be observed on the "successions" of new actions, that is on the r- 
executions. Intuitively, a property that could be observed on a succession of more than one old action is not 
a new property. 

According to this idea, we propose that the parts contain the r-executions of a refined system. Parts 
constructed in this way are called refinement based parts. We have proposed in |JMM0l] a definition of such 
parts. The parts are built as follows (see Remark 13.41) : to every state of the abstract system corresponds a 
part in the refined system. Let si be a state of the abstract system. The part corresponding to si is made 
of all the transitions of the refined system that have a state of EC(s\) as a source state. The target state s' 
of such a transition is 

• either a state itself glued to si - then the transition represents the occurrence of a new event, or of an 
old event if it refines an abstract transition si — ► s%, 

• or a state not glued to si - then the transition represents the occurrence of an old event, and means 
that the "end" of the module is reached: s' has no successor in the part other than itself by the virtual 
transition labelled Skip (see Remark l2.2H . 

The definition that we propose in this paper is slightly different because we are in the context of the 
refinement of fair transition systems. Thus, Definition 14.51 defines a part of a refined fair transition system 
according to the fair refinement relation pf. A part is a transition system. 

Let us first give the intuition of what are the initial states, the states and the transitions of such a part. 
Consider an abstract fair transition system FT Si and a fair transition system FTS2 that refines FT Si . Let 
Si be a state of FT Si. We define the part TSm corresponding to s%. We define Y as being the greatest set 
of states of FTS2 that are successors of a state in EC(s\) by taking a transition labelled with an abstract 
action: Y = { s' | s 2 — * s' G — >2 A s 2 6 EC{s\) A s' $ EC(s%)}. We define FS(Y) as being the greatest set 
of states of FTS2 that are reachable from a state of Y by taking only fair transitions: FS(Y) — {sj | 1 < 

j < n A 3a ■ (a G £fts 2 A (s ^ s% ^ . . . Sj . . . "A 1 s n ) C a A s Q G Y A Vi • (s{ A s i+1 G (Jj=i F 2j))}- 
The initial states of TSm are the states of EC{s\) that are either initial states of FTS2, or target states 

of a transition labelled with an abstract action whose source state is not in EC{s\). 
The transitions of TSm are: 

• the transitions of FTS2 that have a state of EC(s\) as a source state, 

• the fair transitions of FTS2 that have a state of Y U FS(Y) as a source state, 

• the transitions labelled with Skip that are added as loops on the states of TSm which have no successors 
among the states of TSm- 

Definition 4.5 (Refinement Based Part of a Fair Transition System) LetFTSi = (Sq 1 , Si , Acti , — >i 
,L\,J-i) be a fair transition system which is refined by a fair transition system FTS2 = (5o 2 , S2 , Act2 , -^2 
,Lt2,J 7 ) (FT Si Qf FTS2J. Consider si G Si and EC(si), an equivalence class of Sz/™ . The part based 
on EC(si) is a transition system TSm — {Sq m , Sm, ActM , — >m , Lm) such that: 

• S Qm = {s 2 E EC(si) I s 2 e 5 02 V 3s ■ 3a ■ (s A s 2 ^ 2 A^ EC(si))}. 

• S M = {s 2 G EC(si)} U Y U FS(Y). 

• {s 2 ^ *' G I 32 G EC(si)} U {s A s > g^ 2 | s G (Y U FS(Y)) A s' G FS(Y)} U {s S ^ P 
s I s g Sm A V(s', a) ■ {s A s ' G^ 2 ^ s' S M )}. 
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Abstract transition system Refined transition system 




party party, party 2 



Figure 4: Example of a refinement based parts 

• ActM is the restriction of Acts to the labels of— >m> augmented with Skip. 

• Lm is the restriction of Li on the states of Sm . 

Notice that there are at most as many parts in the refined transition system as states in the abstract 
transition system. As a consequence, the number of states of the abstract model can be used as a parameter 
for the user to control either the number, or the size of the parts to be model-checked. 

Remark 4.6 The properties that are not verifiable by parts for all possible partitionings, but only relatively 
to the partitioning as presented in Definition ^. 5[ are called verifiable by refinement based parts. 

Example of refinement based partition according to Definition 14.51 

In Fig. 01 we present an example of three parts y\, and yi obtained according to Definition 14.51 from 
the refined transition system. We suppose that the states of the refined system and the abstract system are 
glued as : ro and T\ with sq, ri and r% with s\, and r^ and r$ with S2- The fair transitions are represented 
by dashed arrows in Fig. 0] 

For example the part j/o is the transition system composed of the states EC(sq) — {r , r^}, Y — {^3} 
and FS(Y) — {r 5 }. It has one initial state r . It contains all r-transitions between the states of EC(sq), 
the exit transition n — > f3, and the fair transition r^ A r$. As this transition system deadlocks in r&, we 

Skip 

extend it with the transition rs — » r$. 

Next section describes how the partitioned verification applies for the verification of PLTL properties 
under fairness assumptions. 
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5 Partitioned Model Checking under Fairness Assumptions 



This section contains the main contribution of the paper. We study the verification by the partitioned model 
checking of PLTL properties when the description of the environment uses fairness constraints. We show 
that partitioned model checking on transition systems can be used under fairness assumptions. 

We do not include the fairness of the environment in the transition system, but it is integrated as an 
assumption of the property to verify. 

The verification by model checking of a PLTL property P under fairness assumptions expressed by a 
PLTL formula /, on a transition system TS, supposes verifying by model checking the property / =>■ P on 
TS. The question "does TS provided with fairness assumptions / satisfies P ?" is written as: TS \= f => P ? 

The Biichi automaton of ->(/ =4> P) does not satisfy the sufficient condition allowing its verification in a 
partitioned way (see Section0|and Fig. 3d). However, we prove that the verification of the formula / P 
becomes verifiable by refinement based parts (see Definition 14. 5|) , i.e. \/M.(M is a refinement based part => 
M (= / =>• P) =>■ TS \= f =>■ P when P is verifiable by parts. This is equivalent to say that if, for all M 
such that M is a refinement based part, each computation of M satisfies P then all the computations of TS 
satisfies P. Indeed, since the unfair executions of M and TS satisfy the formula / => P because they do not 
satisfy /, we deduce that the verification of / => P on M (refinement based part) and on TS requires only 
the verification of P on the computations (fair executions) of M and TS. 

Now, let us prove that each computation of TS is a concatenation of fragments which are all prefix of 
computations in refinement based parts. 

Lemma 5.1 Suppose FTSi Qf FTS2. Each computation a of FTS2 can be decomposed into fragments 
which are prefix of computations in refinement based parts of FTS2- More precisely, such a computation is, 
either a suffix of a, or is a fragment of a which ends by a finite sequence of fair transitions followed by an 
infinite sequence of skip transitions. 

Proof. As the fair refinement is a r-simulation of T-FTS2 by FT Si, each computation a of T-FTS2 is such 
that 

(T = So — > — * Si ± — > S l2 _i — ► Si 2 — » Si 3 -1 — >• Si 3 . . . 

where are abstract actions. The decomposition by Definition 14.51 is such that each finite fragment of a, 

T* a 'j 

(ff — Si j _ 1 — ► s^_i — ► s ^ is a prefix of a computation of a refinement based part such as, either 



• a' = s tj _ 1 " s^-i — I s tj " s c " Sij-i — I Si 3 ^ s c . . ., where c 6 Act\ U {r} and s i] ^ s c is a 
finite sequence of fair transitions and states s c are not source states of a fair transition -here a' refines 
a suffix of a computation of a global system in the abstract level which run around a cycle infinitely 
many times -, or 

t* ai j c* Skip Skip 

Obviously a' is a computation since a is a computation and a' is a suffix of a. Also cr" is a computation 
since, by construction, it is a fragment of the computation a prolongated by a finite sequence of fair transitions 
followed by an infinite sequence of skip transitions. □ 



Correctness of the Partitioned Model Checking under Fairness Assumptions 

In this section, we show that model checking by parts under fairness assumptions is sound. For that it is 
necessary that the parts are obtained according to Definition ^. 51 

Theorem 5.2 Let FTS = (TS,J-) be a fair transition system which refines an abstract fair transition 
system. Let M be the set of refinement based parts accordingly to Definition ^. 5\ Let f be the PLTL formula 
which expresses the fairness assumptions of FTS. If P is a PLTL formula such that B^p £ B mo d (as such, 
it is verifiable by parts on TS), then the property f P is verifiable by refinement based parts on TS. 
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Proof. Recall that in order to prove that the formula / =>■ P is verifiable by refinement based parts on 
TS, we must prove the following: if, for all M such that M is refinement based part, each computation of 
M satisfies P then all the computations of TS satisfies P. 

Let (7 be a computation of TS. By Lemma I3TT1 each fragment of a computation a prefixes a computation 
like a 1 or a" of a refinement based part. Therefore all the computations of a refinement based parts are 
extensions of all the fragments of the computations belonging to a global system. 

In the proof of Theorem 4.4 in Section 4.1.2 it is shown that when a property P belong to the class 
of properties verifiable by parts, and if the extensions of all the fragments of an execution at (in a global 
system) satisfy P, then P holds on a;. 

So, when each computation of a refinement based part satisfies P and since P is verifiable by parts, we 
conclude by Theorem 4.4 that P holds on a. Which means that / => P is verifiable by refinement based 
parts on TS. □ 

6 Example of the Protocol T=l 

In this section, we present the example of the protocol T=l cdNE92 in order to illustrate how to verify 
PLTL properties under fairness assumptions in a partitioned way. We also defined how to express the fairness 
of an environment in a B event system. We give the B event systems enriched with fairness assumptions, 
of the protocol at the abstract and at the refined level. We also give the fair transition system which is the 
semantics of the abstract event system and the fair transition system which expresses the semantics at the 
refined level. 

We also use this example to show that without using fair refinement to obtain the set of parts, the PLTL 
properties under fairness assumptions are not verifiable by parts. 

6.1 Abstract Specification under Fairness Assumptions 

Figure represents the abstract B event system of a half duplex communication protocol between a chip 
integrated card and a card reader. At this level of specification, we consider only the alternation of exchange 
of messages between the chip card and the reader. 

Figure represents the abstract transition system of the protocol. In this figure, each state is decorated 
with the value of the state variables. Cstatusi indicates if the chip card is inserted or not in the reader. 
Senderi indicates the device which will send the next message, the chip card or the reader. The character 
'?' or '!' in the reader indicates respectively that the reader is the receiver or the sender device. The state 
labelling function, called L\ is the following: L\ — { 

s a l— * {Cstatusi — in, Sender i = reader}, 

s% i — * {C status\ — in, Senderi — card}, 

S2 !— * {Cstatusi — out, Senderi = card}, 

s 3 l— * {C statusi = out, Senderi = reader}}. 

At the initial state, the chip card is inserted in the reader, and sending a message must be done by the 
reader. The protocol evolves by the action of four events: 

• Rsends: the reader sends a message, 

• Csends: the chip card sends a message, 

• Eject: the chip card is ejected, 

• Cinsert: the chip card is inserted. 
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MACHINE tegl 
SETS 

SENDER = {card, reader} \ CARD - STATE = {in, out} 
VARIABLES 

Senderi^ Cstatusi 
INVARIANT 

Senderi 6 SENDER A Cstatus 1 £ CARD - STATE 
INITIALISATION 

Senderi :— reader || C statusi :— in 
EVENTS 

Rsends = SELECT Senderi — reader A Cstatus^ — in 

THEN Sender 1 : = curdEND; 
Csends = SELECT Senderi — card A C 'statusi — * n 

THEN Senderx := reader ENDJ 
Eject = SELECT Cstatusi = in 

THEN Cstatusi := out END; 
Cinsert = SELECT Cstatusi = out 

THEN Senderi :— reader || Cstatusi :— in END; 
FAIRNESS= {Eject }; 
END 




Figure 6: Abstract fair transition system of the protocol T=l 



We assume that all the applications which use the protocol do not request the transport of an infinite 
sequences of messages. This is a fairness constraint which comes from the environment. It ensures that the 
transmission of the messages between the card and the reader terminates by the ejection of the card. 

In B event systems we proposed the following extension. The fairness assumptions are written (e if p) 
BCJK01], where e is the name of an event and p is a predicate characterizing the states in which e cannot 
be avoided when it is enabled infinitely often. When an event must always be fair, the fairness assumption 
is only the event name. 

The fairness assumption on the environment protocol is defined by the clause FAIRNESS={Eject } (see 
Fig. [SJ . In the abstract fair transition system of the protocol, the fairness assumption is expressed by the 

set T\ — {Fn} where Fn — {sq E ^> ct s 3 , si E ^ s 2 }. 

The set of states {so,si} is defined by the following expression : Cstatusi — in. The expression 
Cstatusi = out defines the set of states {s2, 53}- So, the verification of a PLTL property P on the transition 
system must be done under this fairness assumption which is expressed by the PLTL formula: 

□ (□O (Cstatusi = in) => O {Cstatusi — out)). 

This formula is a simplification of the formula obtained from the general formulanP re sented in Section|21 
that would be: 
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□ (□O (Cstatusi = in A Senderi — reader) V (Cstatusi — in A Senderi — card)) => O ((Cstatusi = 
out A Senderi — reader) V (Cstatusi = out A Senderi = card)). 

6.2 Refined Specification under Fairness Assumptions 

Figured describes the refined B event specification of the protocol. At this level of specification, we view the 
messages as a sequence of blocks ended by a last block (value lb). A block sent (value bl) is acknowledged 
by an acknowledgement block (value ackb). We call frame these three types of exchanged information. 

After a last block is sent by one of the devices, the other device answers with a sequence of blocks ending 
by a last block unless the card is ejected. These exchanges of messages alternate until the card is ejected. 

The fair transition system shown in Fig. [S] describes the refined behavior of the protocol. The states of 
the transition system are decorated by the value of variables CardF 2 and ReaderF 2 which describe the type 
of the last frame sent respectively by the chip card and the reader, SenderF 2 which describes the device 
that will send the next frame, and Cstatus 2 which does the same thing as the variable Cstatusi. 

The gluing invariant is a part of the invariant in Fig. [7| 
III = {{C status 2 = Cstatusi) A 

((ReaderF 2 — bl V ((CardF 2 — ackb V CardF 2 = lb) A SenderF 2 = reader)) •£> (Senderi = reader)) A 
((CardF 2 = bl V ((ReaderF 2 = ackb V ReaderF 2 = lb) A SenderF 2 — card)) <^> (Senderi = card))). 

With this gluing invariant, the states of the two transition systems in Fig. [S] and Fig. [S] are glued as 
follows: 

• r 0i r 2i f3, no are glued with the state So, 

• rs, 7-7, rg, rg, ri2 are glued with the state s±, 

• r 6i r i3 ar e glued with the state s 2l 

• ri,7"ii are glued with the state S3. 

From these four equivalence classes (see Section. 14.20 we construct the four parts described in Fig. [3 Fig. 1101 
Fig. ^2 an d Fig. ^] (see the appendix) . 

The state labelling function, called L 2 is the following:^ = { 

ro 1— » {C status 2 — in, SenderF 2 — reader, ReaderF 2 = lb, CardF 2 = lb}, 

7"i 1 — > {C status 2 — out, SenderF 2 — reader, ReaderF 2 — lb, CardF 2 = lb}, 

r 2 1 — * {Cstatus 2 = in, SenderF 2 = card, ReaderF 2 = bl, CardF 2 = lb}, 

... }. 

The old events Rsends and C sends terminate the emission of a message by sending the last block. We 
have reinforced the guard of the event Eject in order to forbid the ejection of the chip card during the 
transmission of a message. We have introduced four new events to take the transmission of blocks and 
acknowledgement into account: 

• Rblocksends: the reader sends a block, 

• Cblocksends: the card sends a block, 

• Racksends: the reader sends an acknowledgement, 

• Cacksends: the card sends an acknowledgement. 
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The fairness assumptions in the refined level are defined by the declaration set FAIRNESS ={Eject, 
Csends if (CardF 2 — bl), Rsends if (ReaderF2 — bl)}. The fairness assumption hi = Eject reformulates 
the abstract fairness assumption. It indicates that the end of the transmission is unavoidable. The fairness 
assumptions /i 2 == Csends if (CardF2 — bl) and I13 = Rsends if (ReaderF^ = bl) are new fairness 
assumptions which express that the messages sent by the chip card or the reader contain a finite number of 
blocks. They allow to go out of livelocks as shown in Fig. |SJ These assumptions must be satisfied by all the 
possible environments of the protocol. 

The verification of a PLTL property P on the transition system must be done under these fairness as- 
sumptions, expressed by the following PLTL formulae: 

• /{ = □(□ O (Cstatus2 — in A ((SenderF2 — reader A CardF2 = lb) V (SenderF2 — card A 
ReaderF2 = lb))) =>■ O Cstatus2 = out) expresses hi, 

• / 21 = □(□ 0(SenderF 2 = card A CardF 2 = bl) O CardF 2 = lb) expresses n 2 , 

• /22 = □(□ O (SenderF 2 = reader A ReaderF 2 = bl) =>• O ReaderF 2 = lb) expresses n.3. 

The fairness assumptions are defined by the sets of fair transitions (represented in Fig. [S] by the dashed 
arrows) T 2 = {F{, F 2 i, F 22 } where : 

j^, dcf r Eject Eject Eject Eject . . . r T 

• h{ = {r -> n, rio rn, r 12 ri 3 ,r 5 -> r 6 } which formalizes /ii, 

j-, dcf r Csends , . , r ,. , 

• ^21 = {^8 — * r io| which tormahzes h 2 , 

j-, dcf r Rsejids , . , r , 

• -T22 = {T3 — > which tormahzes n.3. 



6.3 Example of the verification by parts 

In this section, we present an application of partitioned model checking on the example of the protocol 
T=l. We use the tool SPIN |Hol91| for the verification by model checking. The test consists in splitting the 
transition system of the protocol T=l, and in choosing a PLTL property P verifiable by parts. Then, we 
verify P under fairness assumptions / on the global system, and on each part. Our goal is to illustrate that 
the property / => P is verifiable in a partitioned way. 

Figuresl51to ll2l fsee the appendix) represent the parts which are obtained by splitting the global transition 
system in Fig. |H1 at the refined level from Definition ^. 51 

Let us verify P = f □(CardF'2 = bl => <>(CardF2 = lb A Sender F 2 = reader)) which expresses that 
when a card sends a block, then it will inevitably send a last block. We verify P by refinement based parts 
under the fairness assumptions /{,/2i,/22- The PLTL formula which expresses the fairness assumptions is 
/ = f{ A /21 A /22- The property to be verified is Q = f=> P. 

First, we checked that Q is satisfied on the global system of the T=l protocol by the tool SPIN. Second, 
we verified Q on each part in the following way. Before checking Q on the part sq such as described in 
the Fig. E| we simplified Q because the part s is only concerned with the fairness assumptions f 22 - This 
part does not contain a cycle, which is forbidden by the fairness assumptions /{ or /21, therefore these 
assumptions are useless to check Q in this part. Thus we simplified Q in Qi = f 22 P. We used SPIN to 
check that Qi is satisfied on the part so, therefore Q is satisfied on sq. The part si in Fig.^His concerned 
with the fairness assumptions f 2 ±. So we simplified Q in Q2 = /21 P ■ The property Q 2 is satisfied on the 
part si, therefore the property Q is satisfied on 8\. The parts S2 in Fig. II II and S3 in Fig. 1121 do not contain 
cycles forbidden by the fairness assumptions, all their executions are fair. Thus they are not concerned with 
fairness assumptions. So, we simplified Q in Q3 = f P. The property Q3 is satisfied on the parts S2 and S3, 
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REFINEMENT teglref REFINES tegl 
SETS 

FRAME = {bl, lb, ackb} 
VARIABLES 

SenderF 2l Cstatus 2l CardF 2l ReaderF 2 
INVARIANT 

Sender F 2 £ SENDER A CardF 2 £ FRAME A Reader F 2 £ FRAME A Cstatus 2 = Cstatusi A 
(^ReaderF 2 — bl W ( K (^CardF 2 — acfcb V CardF 2 — lb') A SenderF 2 — reader^) O (Senderi — reader) A 
(^CardF 2 = bl V ((.ReaderF2 = acfcb V ReaderF 2 — lb) A SenderF 2 — card)) O (Senderi — card) 

INITIALISATION 

SenderF 2 :— reader \\ Cstatus 2 := in \\ CardF 2 :— ib || ReaderF 2 :— lb 

EVENTS 

Rsends = SELECT (SenderF 2 — reader A Cstatus 2 — in 

A (CardF 2 = acfcb V CardF 2 = lb)) 

THEN SenderF 2 := card || ReaderF 2 := ib END; 
Csends = SELECT (SenderF2 — card A Cstatus 2 — in 

A (^ReaderF 2 — acfcb V ReaderF 2 — ib)) 

THEN Sender F 2 := reader || CardF 2 := lb END J 
Eject = SELECT ((Sender F 2 = card A ReaderF 2 = lb) V (SeniierFj = reader A CardF 2 = lb)) A 

C status 2 — in 

THEN C'status 2 := out ENDJ 
Cinsert = SELECT Cstatus 2 = out 

THEN SenderF 2 := reader || Cstatus 2 := in || CardF 2 := ib || R,eaderF 2 := ib ENDj 
Rblocksends = SELECT (SenderF 2 = reader A Cstatus 2 — in A (CardF 2 = acfcb V CardF 2 = lb) ) 

THEN Sender F 2 := card || Reader F 2 := bi END J 
Cblocksends = SELECT (SenderF 2 — card A C status 2 - in A (^ReaderF 2 — ackb V ReaderF 2 — lb) ) 

THEN SenderF 2 := reader || CardF 2 := bi END J 
Racksends = SELECT (SenderF2 — reader A Cstatus 2 — in A CardF 2 — bl) 

THEN Sender F 2 := card || Reader F 2 := acfcb END J 
Cacksends = SELECT (SenderF 2 — card A C status 2 — in A ReaderF 2 — bi) 

THEN SenderF 2 := reader || CardF 2 := acfcb END; 
JL4 IRNESS — {Eject , Csends if (CardF 2 = bl) , Rsends if (ReaderF 2 = bl)}; 
END 



Figure 7: Refined B specification of the protocol T=l under fairness assumptions 
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Figure 8: Refined fair transition system of the protocol T= 
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therefore the property Q is satisfied also on these parts. Accordingly to Theorem 15.21 the property Q is 
verifiable by refinement based parts (see Definition 14.5(1 . Since all the parts satisfy Q, the global system of 
the protocol T=l satisfies Q. 

6.4 Counter example if the condition of decomposition by refinement does not 
holds 

In this section, we give an example that shows that the approach of verifying by parts PLTL property 
under fairness assumptions is not correct, when the condition (see Definition 14. 5J1 of the decomposition by 
refinement is not satisfied. We propose a decomposition of the system so that the executions of the parts 
cannot leave the r-cycles and fair exiting cycles, contained in the parts resulting from the decomposition. In 
this example, we note (r*j ^ . . . r^)* a finite fragment of an execution which runs around a cycle finitely 
many times. We note (fj ^> . . . ^i" r^) w an infinite fragment of an execution which runs around a cycle 
infinitely many times. 

Figures El an d E] represent the parts s[ and s' 2 obtained by splitting the global system of the protocol 
T=l, without using the refinement. Notice that, we have not used a refinement based partitioning but the 
partition of the transitions of the system. 

Let us verify the PLTL property P' = 0[SenderF2 — reader A Reader Fi = lb A Cstatus2 — in => 
0(ReaderF2 = lb A Cstatus^ = out)), which expresses that if the reader sends a last block then the card 
eventually will eject. We verify P' under the fairness assumptions / = f[ A /21 A /22- Notice that P' 
is verifiable by parts, because the Buchi automaton of ->P' belongs to the class B mo d- The property to be 
verified by parts is Q' = f P' . 

We verified Q' on the global system of the protocol T=l using SPIN. Then, we verified Q' on each part, 
s[ and s' 2 - The results are that Q' is violated on the global system and satisfied on the parts. In the part 
s' 2 , the executions are not fair. Since / is false on s 2 then Q' = f => P' is satisfied on s' 2 . Q' is satisfied 
on the part s[ because the only computations of this part are those which reach infinitely many times the 
states ro and r\ in Fig. El These executions satisfy Q' . The other executions of s[ are not fair, therefore 
they satisfy Q' . Consequently, the property Q' is not verifiable by parts although the Buchi automaton of 
-if" belongs to the class B mo d, i.e. is verifiable by parts. We recall that a PLTL property P under fairness 
assumptions / =>■ P is verifiable by parts under the following condition : " if the property is not satisfied on 
the global system, then there is a part which violates the property" . 

With such a decomposition of the global system, the method of verifying by parts is not correct because 
the parts do not contain fragments of some computations of the global system. For example, the computation 

def / Rblocksends Cacksends / Rblocksends Cacksends \ ^ Rsends Eject Cinsert \, , 

01 = (ro -> r 2 -> (r 3 -> r 4 -> r 3 ) -> r 5 -> r 6 ~> r ) w 
in Fig. [HI does not have fragments in the parts and s' 2 - Indeed the executions 

def Rblocksends Cacksends , Rblocksends Cacksends x . , 

02 = r -> r 2 -> (r 3 -> r 4 -> r 3 ) w 
in the part and 

def / Rsends C sends \,, 

03 = (r -> r i2 -> r j" 

in the part s' 2 , are not extensions of fragments of the execution o\. As 172 and 03 are not fair, then they satisfy 
the property Q' . The method fails because there are computations of the global transition system which are 
not verified in the parts. This because their fragments do not exist in the computations of the parts. On 
the other hand the decomposition by refinement ensures that all the fragments of all the computations of 
the global system are in the parts. For example, the computation o~i is broken into two fragments which we 
find in the computations of the parts obtained by refinement. The first fragment of a% is 

def Rblocksends Cacksends / Rblocksends Cacksends \ Rsends Eject 

<Pl = r a -> r 2 -> (r 3 -» r 4 -> r 3 )* -> r 5 r 6 
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which is a prefix of the computation 

dcf Rblocksends Cacksends Rblocksends , Cacksends Rblocksends XHt Rsends Eject , skip N , 

c 4 = r -> r 2 -> r 3 -> (r 4 -> r 3 -> r 4 J -> r 5 -> (r 6 -» re)" 
in the part so in Fig. |5J We find also the second fragment 

dcf Cinsert 

¥2 = r 6 -> r 
as a prefix of the computation 

dcf Cinsert Eject , skip . 

05 = r 6 -> r -> (n -> n r 

in the part s 2 in Fig. 1111 Let us note that a± is the concatenation of these two fragments. The two executions 
<T4 and (T5 which contain the fragments ipi and tp 2 are fair, therefore they satisfy /. Since (74 and (75 satisfy 
also Q = f => P as verified previously - Q is the property verified by parts with a decomposition by 
refinement in Section 1531 - therefore they satisfy P. Since P is verifiable by parts, then the proof that P is 
satisfied on 04 and 05 is a proof that P is satisfied on a± . 

7 Performance of the approach of the verification by part 

In this section, we show the experimental results of the approach of the verification by refinement based 
parts. The expected performance is the capacity of this approach to verify a large set of different type of 
properties at the refined level. So, we verify two examples of applications. The first example is the protocol 
T=l, the second one is the car wind-screen wipers system. For each example we choose different PLTL 
properties to verify. The properties must express the general behaviors of the systems. 

At the end of this section, we compare our approach with the Pnueli's approach KPR98, KPRS01 , that 
is another verification approach under fairness assumptions. 

The protocol T=l at the refined level is described in the last section. We propose to verify by parts the 
following PLTL properties which express the main behaviors of the protocol : 

• These properties express that always when a device send a block then it will inevitably send a last 
block: 

P x = U(CardF 2 =bl=> 0(CardF 2 =lb)). P 2 = n(ReaderF 2 = bl => 0(ReaderF 2 = lb)). 

• These properties express that always when a device send a block then the other device will inevitably 
send an acknowledgment block: 

P 3 = U(CardF 2 =bl=> O (Reader F 2 = ackb)). P 4 = U(ReaderF 2 = bl => 0(CardF 2 = ackb)). 

• This property expresses that when the card sends a block and the reader sends an acknowledgment 
block, the card and the reader will respectively send an acknowledgment block and a block: 

P 5 = U(CardF 2 = bl A Reader F 2 = ackb 0(CardF 2 = ackb A Reader F 2 =bl)). 

• This property expresses the alternation of sending of the messages between the card and the reader: 
Pe = 0(SenderF 2 = card => <>(SenderF 2 = reader)). 

The second application verified is the car wind-screen wipers system. At the refined level the system is 
composed of a control level, a rain sensor and two (left and right) wind-screen wipers. The control level can 
select the mode - automatic or manual- of the wiper system. The left and the right wipers have the same 
behavior. The rain sensor can detect the rain amount (no rain, small rain, strong rain). We have verified 
six properties on this application. The results are shown in the following section. 



24 



7.1 Results of the verification 



The following table indicates the results. We give the number of properties to verify, how many are globally 
true, how many globally false, and how many have been successfully verified by refinement based parts. 



Example 


Properties 


Globally true 


Globally false 


Verified by parts 


protocol T=l 


6 


5 


1 


4 


wind-screen wipers 


6 


6 





4 



These results show that we have successfully verified four properties by parts amongst the six that were 
expressed, on the protocol T=l system and the car wind-screen wipers system. In the case of the protocol 
T=l, the verification failed for properties P$ and Pq. As P5 is globally false, then there is at least a part on 
which it is false, that is so- In contrast the property Pq is globally true and our method failed to prove it by 
refinement based parts (it is false on parts Sq and s\). This is due to the fact that Pq is not a new property. 
It expresses an abstract behavior of the system, and should have been verified by parts at a former level of 
refinement. Properties P\, P2, P3 and P4 express new behaviors of the system at the refined level, and as 
expected, they have been successfully verified by parts. 

We obtained the same results for the verification of the car wind-screen wipers system. The approach 
of the verification by parts fails in verifying two properties that have been verified at the abstract level. 
However, the approach succeeds in verifying properties that express the new behaviors of the system at the 
refined level. 

These results show that as it would be interesting to study the relation between our approach of ver- 
ification, the new properties at the refined level, and the abstract properties in order to characterize the 
properties for which a verification by parts is suited. 

7.2 Comparison with Pnueli's approach of verification 

An interesting method was proposed in KPR98, KPRSOlj, this is a symbolic model checking of PLTL 
properties under fairness assumptions. This approach removes the fairness assumptions from the formula to 
verify. It deals with a fairness assumptions at the algorithmic level instead of specifying them as of a part 
of the formula to be verified. Fairness assumptions are expressed as Buchi (for weak fairness) and Street 
(for strong fairness) automata acceptance conditions. So, this algorithm verifies the property P instead of 
verifying f P. The verification consists of the emptiness checking which is implemented with BDD. 

This approach treats the problem of the combinatorial explosion of model checking by simplifying the 
formula to verify under fairness approach. In our case we treats the problem of the combinatorial explosion 
by the following way. We partition the transition system and we verify a property separately on each part. 
Another difference is that we adapted the automata algorithm of Vardi and Wolper VW86 instead of a 
symbolic algorithm. However, we can combine our approach with Pnueli's approach. So in order to verify a 
property P under fairness assumptions /, we verify the simplified formula P by the partitioning way. So we 
will use Pnueli's approach to express fairness assumptions by Street and Buchi automata conditions on each 
transition system of the parts. Then we will exploit our approach to split the global transition system using 
the fair refinement relation. Finally we will verify P on each part using symbolic model checking instead of 
verifying /=J-Pon the global system. 

8 Conclusion and Future Works 

In this paper, we extend the partitioned model checking technique presented in j.TMMOlj to handle the fairness 
constraints of the system environment. Our goal is to verify the PLTL properties under fairness assumptions 
by part. When the fairness constraints of the environment are expressed by fairness assumptions, the 
verification by model checking of a partitioned property P under fairness assumptions / supposes verifying 



25 



by model checking the new property Q = f =>• P on the transition system. However, the property Q does 
not necessarily belong to the class of properties verifiable by part. 

Our contribution in this paper is to prove that the split of the transition system into parts, using the 
fair refinement relation, makes the property Q verifiable by refinement based parts when P is verifiable by 
part. The use of the fair refinement to split a transition system allows us to obtain refinement based parts 
which contains computations. This is a sufficient condition to verify by refinement based parts the property 
Q = f => p. To handle the fairness constraints, we have proposed to use a fair transition system to model 
a reactive system and its fairness environment. This framework is a transition system which contains only 
computations. 

The complexity of the refinement verification is linear in the size of the refined system, because it 
necessitates only an enumeration of the refined model when the gluing relation is a function. Therefore 
the verification by parts is interesting because the additive decomposition of a system comes for free from 
the refinement verification. 

In the future, we plan to implement the partitioned model checking technique so that we can evaluate 
its performance on industrial applications. As we saw in the example of the protocol T=l, we can simplify 
the fairness assumptions on each part because all the assumptions do not concern every part. So, the 
simplification process needs to be further studied. We plan also to combine the approach of model checking by 
part to the approach |CJ03j of model checking under fairness assumptions which exploits the fair refinement 
in order to reduce the size of the formula to be verified under fairness assumptions. 

Also, we must give simplification rules to translate fairness assumptions, as expressed in the event systems, 
into PLTL formulae, as used by the usual model checking algorithms. We plan to study a variation of this 
method which does not requires the condition (b) in Definition 12. 81 In this case the fairness assumptions are 
not expressible in PLTL, but in a logic of actions as the ^-calculus [UCP99 . 
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Appendix 




Figure 9: The part s of the protocol T=l 
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Figure 10: The part s\ of the protocol T=l 




Figure 11: The part S2 of the protocol T=l 
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Cinsert 




Figure 12: The part s 3 of the protocol T=l 




Figure 13: The part s[ of the protocol T=l 
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Figure 14: The part s' 2 of the protocol T=l 
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